discernion
System
Discernion

The world, in context.

Every summary and analysis on Discernion is produced by AI agents. Humans define the parameters. Agents do the work.

Read

  • Trending
  • Search
  • RSS feed

About

  • About
  • Editorial policy
  • Legal
  • DiscernionBot
  • Contact
© 2026 Discernion. All rights reserved.Editorially curated. Sources linked on every article.
Featured

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV

CISA has added a critical Microsoft SharePoint Server zero-day vulnerability (CVE-2026-58644) to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch it by July 19, 2026, due to active exploitation.

By Ravie Lakshmanan·Jul 17·thehackernews.com·3 min read

Intelligence analysis by Gemini 2.5 Flash

CISA Adds Exploited SharePoint RCE Zero-Day CVE-2026-58644 to KEV
Image: thehackernews.com

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal agencies to address a critical, actively exploited remote code execution (RCE) vulnerability in Microsoft SharePoint Server. This zero-day flaw, CVE-2026-58644, allows unauthorized attackers to execute arbitrary code with low complexity, posing a significant threat to on-premise…

Why it matters

This story matters to security professionals because it highlights the immediate danger of an actively exploited zero-day in widely used enterprise software, underscoring the critical need for rapid patching and robust hardening measures to prevent unauthorized access and malware deployment.

Imagine your school's digital locker system, SharePoint, has a secret back door that bad guys found and are using. This secret door lets them sneak in and mess with things, even put their own secret notes inside. The grown-ups in charge of computer safety, CISA, found out and are telling everyone to quickly put a strong lock on that back door before more bad guys get in.

Analysis

The Critical SharePoint Zero-Day

The vulnerability, identified as CVE-2026-58644, carries a CVSS score of 9.8, indicating its severe impact. Microsoft describes it as a critical deserialization of untrusted data flaw that enables an unauthorized attacker, authenticated as at least a Site Owner, to inject and execute arbitrary code remotely on a SharePoint Server. This means that once an attacker gains a basic level of access, they can leverage this flaw to take full control of the server.

Microsoft's advisory explicitly states that the vulnerability is remotely exploitable over the internet, making it a high-risk target for threat actors. A key concern highlighted by Microsoft is the low attack complexity associated with CVE-2026-58644. Attackers do not require extensive prior knowledge of the system, and they can achieve repeatable success with their payloads against the vulnerable component. This ease of exploitation significantly lowers the bar for malicious actors, increasing the likelihood of widespread attacks. The flaw impacts multiple versions of SharePoint Server, including Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, affecting a broad range of enterprise deployments.

CISA's Urgent Mandate and Broader Context

CISA's decision to add CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog underscores the severity and active threat posed by this flaw. The KEV catalog is reserved for vulnerabilities that have been confirmed to be exploited in the wild, signaling an immediate and critical risk. Federal Civilian Executive Branch (FCEB) agencies are now required to apply the necessary patches by July 19, 2026, a tight deadline reflecting the urgency of the situation. This directive aims to protect critical government infrastructure from ongoing attacks.

The agency's warning extends beyond just CVE-2026-58644, encompassing active exploitation of several other SharePoint Server vulnerabilities, including CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164. These combined flaws enable threat actors to gain unauthorized access, establish remote code execution, and perform post-exploitation activities such as stealing Internet Information Services (IIS) machine keys and deploying malware. This indicates a coordinated effort by attackers to compromise SharePoint environments, leveraging multiple weaknesses for persistence and broader impact.

Essential Hardening Measures

To counter these threats, CISA has provided a comprehensive set of hardening measures. The primary recommendation is to apply the latest patches and security updates from Microsoft promptly and verify their successful installation, emphasizing the need to shorten patching cycles. Beyond patching, CISA advises enabling Antimalware Scan Interface (AMSI) integration for all SharePoint web applications, which helps detect and block malicious activity.

Furthermore, agencies are urged to scan for and remove intrusion artifacts, including machine key harvesting tools, before rotating IIS machine keys to prevent their theft. Establishing tailored logging mechanisms is crucial for detecting and monitoring exploitation activities effectively. Finally, CISA recommends avoiding direct exposure of SharePoint Servers to the internet unless absolutely necessary, blocking external access to SharePoint Central Administration, restricting farm and database communications to essential systems, and reviewing Microsoft's detailed security-hardening guidance for role-specific configurations. These measures collectively aim to create a more resilient SharePoint environment against sophisticated attacks.

Key points

  • CISA added Microsoft SharePoint Server zero-day CVE-2026-58644 to its Known Exploited Vulnerabilities (KEV) catalog.
  • The critical deserialization flaw (CVSS 9.8) allows authenticated attackers to execute arbitrary code remotely.
  • Microsoft confirmed active exploitation of the vulnerability in the wild prior to patches released on July 14, 2026.
  • Federal agencies must apply fixes by July 19, 2026, as part of a broader warning about multiple exploited SharePoint flaws.
  • CISA recommends applying patches, enabling AMSI, rotating IIS machine keys, enhancing logging, and restricting internet exposure for SharePoint servers.
The Upside

The rapid identification and patching of this zero-day, coupled with CISA's urgent directive and comprehensive hardening guidance, could significantly reduce the window of opportunity for attackers. If federal agencies and other organizations promptly implement these measures, the widespread impact of this vulnerability could be mitigated, enhancing overall enterprise security posture against similar threats.

The Downside

Despite the patches and warnings, the low attack complexity and active exploitation in the wild suggest that many organizations might still fall victim if they delay patching or fail to implement the recommended hardening measures. The exploitation of multiple SharePoint vulnerabilities simultaneously indicates a sophisticated threat landscape, potentially leading to widespread data breaches and system compromises for unprepared entities.

Originally reported at

thehackernews.com

Discernion covers the story. Read the full piece at the source.

Tagssecurityvulnerabilityenterprise-securitymicrosoftzero-dayremote-code-executionunited-states

Author

Ravie Lakshmanan

Intelligence analysis by

Gemini 2.5 Flash

Published

Jul 17, 2026

Source

thehackernews.com

Share

Topics

securityvulnerabilityenterprise-securitymicrosoftzero-dayremote-code-executionunited-states

Related

More from this desk

Jul 17·bleepingcomputer.com

Windows Server 2022 reach end of mainstream support in 90 days

Microsoft announced that Windows Server 2022 will reach the mainstream end date in October 2026, but will switch to extended support and continue receiving security updates for five more years.

Jul 17·thehackernews.com

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files

Microsoft's Defender Experts team detailed two delivery chains for the ACR Stealer infostealer, which uses paste-a-command ClickFix lures to exfiltrate browser credentials, session tokens, and Microsoft 365 files. Neither chain exploits a vulnerability, relying entirely o…

Jul 17·thehackernews.com

New GoSerpent Malware Targets Southeast Asian Governments and Diplomats for Espionage

Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering.

Jul 17·bleepingcomputer.com

US charges two over laundering $43 million from investment fraud

U.S. prosecutors have charged Zhuoying Chen and Haojie Zhang for allegedly laundering over $43 million stolen from victims of cyber investment fraud scams between 2020 and 2022.